Best Practices creating a Virtual Machine for Symantec Encryption Management Server (PGP Server)
search cancel

Best Practices creating a Virtual Machine for Symantec Encryption Management Server (PGP Server)

book

Article ID: 156207

calendar_today

Updated On:

Products

Encryption Management Server Desktop Email Encryption Drive Encryption Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK PGP Encryption Suite

Issue/Introduction

This article contains recommendations for creating virtual machines that are suitable for the PGP Encryption Server (Symantec Encryption Management Server).

Environment

PGP Encryption Server Symantec now supports any version of ESX that is currently supported by VMware.  
For example, if VMware supports Debian 11 on ESX 8, then this will be supported by Symantec Encryption Engineering.

PGP Encryption Server 11 - System Requirements 

PGP Encryption Server 10.5 - System Requirements 

 

Note: Microsoft HyperV is not currently supported, but does run just fine with PGP Encryption Server. 
If you would like to have official support of HyperV, please reach out to Symantec Encryption Support for further guidance and provide the following ticket ID:
IMSFR-998

Resolution

Guest Operating System

The Guest operating system for PGP Encryption Server version 11 (Symantec Encryption Management Server) should be set to Debian Linux and the Guest OS version set to Debian 11 (64-bit).

The Guest operating system for PGP Encryption Server version 10.5.1 (Symantec Encryption Management Server) should be set to Linux and the Guest OS version set to CentOS 7 (64-bit).

 

Selecting the correct operating system results in the selection of suitable defaults for components such as network adapters.

Storage Speed

At the core of Encryption Management Server is a relational database and therefore random disk write speed is very important. In terms of overall performance, disk speed is the most important factor. RAID 10 arrays provide the best random write speed, as does SSD. In a virtual environment, the VMware DataStore may be hosted on SAN storage. Ensure that the team responsible for provisioning the virtual disk is aware that it is being used by a database server.

It is vital that the DataStore on which the virtual disk is stored is not overloaded with disk intensive Virtual Machines because this can severely degrade the performance of Encryption Management Server.

To test the random write speed of your virtual disk, ssh to Encryption Management Server and copy and paste this:

dd if=/dev/urandom of=testfile.$$ bs=1024 count=32768; rm -f testfile.$$

The last line of output will be similar to this which shows a disk speed of 81.3 MB/s:

33554432 bytes (34 MB) copied, 0.412971 s, 81.3 MB/s

In general:

  • 120 MB/s or above: very good
  • 80 MB/s or above: good
  • 60 MB/s or below: unacceptable
  • 40 MB/s or below: very poor

Virtual CPUs

Broadcom recommends a minimum of 2 virtual CPUs for small environments, 4 CPUs for medium environments and 8 CPUs for large environments. Note that each virtual CPU equates to a physical CPU core on the ESXi host. For example, a physical quad core processor in an ESXi host has 4 virtual CPUs. Broadcom recommends that in the Virtual Machine settings, the CPU setting matches the number of virtual CPUs required and the Cores per socket setting remains at its default of 1.

CPU Resource Allocation

CPU resources can be reserved. This means that the Virtual Machine will be guaranteed a specific level of CPU cycles, measured in MHz, whether or not it needs the resources. Generally, a reservation should not be required. A Limit should also not be imposed; the default setting of Unlimited should be retained. 

VMware Tools

VMware Tools enhances performance and improves management. Not only is it required by vMotion, it also enables paravirtual network adapters to be installed and allows quiesced snapshots to be taken. Encryption Management Server 10.5 installs VMware Tools by default.

Memory

Broadcom recommends 8 GB RAM for small/medium environments such as drive encryption only environments and 16 GB to 64 GB for larger environments. The RAM requirements depend on the use of Encryption Management Server (Email, Drive Encryption, FileShare Encryption, Web Email Protection) and the number of users being managed by the server. If there are any doubts as to what will be sufficient please ask Broadcom Support.

Disk Space

For drive encryption only environments, 100 GB would be sufficient for 50,000 users providing backups were not stored on the local disk. If seven days of backups were stored on the local disk (not recommended) around 200 GB would need to be allocated.

If thousands of Web Email Protection mailboxes were hosted on the server then disk space requirements could exceed 1 TB. Thin provisioning of disk space can be used to minimize the physical disk requirements if your organization's policy supports it (clearly, thin provisioning runs the risk of exceeding the physical storage space).

Note that if Encryption Management Server is configured to store backups on a remote server, it still creates and stores each backup on the local disk before uploading it to the remote host. When creating backups, files are compressed several times. Therefore the minimum unused disk space needs to be at least twice the size of each backup. 

It is not possible to expand the virtual disk after Encryption Management Server has been installed. Therefore, if disk space is under provisioned, it will cause considerable inconvenience in future.

Ethernet Adapter

By default, ESXi will use the VMXNET 3 adapter, a paravirtualized NIC designed for performance. This is recommended.

If, for some reason, you wish to choose another adapter type, use the E1000.

SCSI Controller

By default, ESXi will use the VMware Paravirtual controller which can result in greater throughput and lower CPU utilization because the virtualization platform does not have to emulate another device. This controller is recommended.

If, for some reason, you wish to use another controller type, choose either the LSI Logic Parallel or LSI Logic SAS. Each will provide the same performance.

VMware VMotion

VMware vMotion is supported with Encryption Management Server.

NTP

With VMware Tools installed, a Synchronize guest time with host checkbox appears in the Options tab of the Virtual Machine properties. This is disabled by default and enabling it is not recommended. For better accuracy, instead configure NTP in Encryption Management Server. Never enable both NTP and the time synchronization option in VMware Tools because it will result in highly inaccurate timekeeping.

Additional Information